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Abstract. Disjunctive Linear Arithmetic (DLA) is a major decidable theory that is supported by 
almost all existing theorem provers. The theory consists of Boolean combinations of predicates of 
the form E^^-^aj ■ Xj < b, where the coefficients Oj, the bound b and the variables xi . . . Xn are of 
type Real (R). We show a reduction to propositional logic from disjunctive linear arithmetic based 
on Fourier-Motzkin elimination. While the complexity of this procedure is not better than competing 
techniques, it has practical advantages in solving verification problems. It also promotes the option 
of deciding a combination of theories by reducing them to this logic. Results from experiments show 
that this method has a strong advantage over existing techniques when there are many disjunctions 
in the formula. 



1 Introduction 

Disjunctive Linear Arithmetic (DLA) is a major decidable theory that is supported 
by almost all existing theorem provers, and is used frequently when proving infinite 
state systems. The theory consists of Boolean combinations of predicates of the form 
^jLi^j ■ < b, where the coefficients aj, the bound b and the variables xi . . . x„ are 
of type Real (M). 

Decision procedures for this theory typically handle disjunctions by 'case-splitting' , 
i.e., transforming the formula to Disjunctive Normal Form (DNF) and then solving 
each clause separately. Naive case-splitting procedures explicitly transform the for- 
mula to DNF, and are therefore very restricted in the size of the formula that they can 
handle (the number of clauses in the resulting formula can be exponential in the size 
of the original formula). More sophisticated implementations split the formula only 
'as needed', which increases in many cases the capacity of these procedures, although 
there can still be an exponential number of cases to solve. 

* This research was supported in part by the Office of Naval Research (ONR) and the Naval Research Laboratory 

(NRL) under contract no. N00014-01-1-0796. 
** An early version of this article appeared in L20J . 



Recently a different approach was introduced almost simultaneously by three dif- 
ferent groups [8 1 23 1 . The procedure is based on a combination of a SAT procedure 
and an arithmetic solver, and is now implemented by tools such as CVC, mathsat and 
ICS-SAT ^ The procedure works roughly as follows. The linear predicates are encoded 
with Boolean variables, and then the encoded Boolean formula is solved with a SAT 
solver. If the SAT instance is unsatisfiable, then the procedure terminates and declares 
the formulas unsatisfiable. Otherwise, it checks whether the given assignment is con- 
sistent with respect to the linear constraints. This step amounts to solving a conjunction 
of predicates or negation of predicates, which is possible by using any number of pro- 
cedures (see below). If a satisfying assignment is found, then the procedure terminates 
and declares the formula to be satisfiable. Otherwise, it backtracks in order to find a 
different assignment, while typically (depending on the specific system) applying a 
learning mechanism, i.e. adding a Boolean conflict clause that prevents a repetition of 
the bad assignment. Although this approach can still be seen as case splitting, as it 
still may call the arithmetic solver an exponential number of times, the learning and 
pruning power of the SAT solver makes it far more robust than naive case-splitting 
methods. We will further discuss the advantages and disadvantages of these techniques 
in section H31 

The lower-bound complexity of solving each DNF clause, i.e., a conjunction of lin- 
ear constraints, is polynomial lfT3l . When considering small to medium size problems, 
as the ones that are typically encountered in formal verification, the existing polyno- 
mial procedures are rarely better in practice comparing to some exponential methods 
like Simplex [7| and the various variable-elimination techniques. For this reason, as 
far as we know, no automated theorem prover uses a polynomial procedure for linear 
arithmetic. 

The most commonly used method by theorem provers is the Fourier- Motzkin (FM) 
variable elimination method Q, which is used in popular tools such as PVS ifTTI . ICS 
SVC (T\, IMPS (W\ and others. We describe the FM method in detail in section 
121 Although FM has a worst-case super-exponential complexity, it is popular because 
it is frequently faster than competing methods for the size of instances encountered 
in practice. Hence, the current practice in solving DLA is to solve, in the worst case, 
an exponential number of FM instances. Theoretically this is not the best possible, as 
explained above, but experience has showed that for the type of formulas encountered 
in verification, it is adequate. 



' ICS-SAT is the name we call the version of ICS that works according to this combined approach. The distinction 
between the two versions is important in this article, as ICS works with case-splitting. 



The procedure described in this paper solves one FM instance in order to gener- 
ate a SAT instance, and then solves this instance with a standard SAT solver. It has a 
similar complexity to what we just described as the common practice, but we expect 
it to be better in practice because of reasons that we will later discuss. SAT solvers 
are generally far more efficient than case splitting in handling propositional combina- 
tions of formulas, although both have the same theoretical complexity. Propositional 
SAT checkers apply techniques like learning, pruning and guidance ('guidance' refers 
to heuristics for prioritizing the internal steps of the decision procedure) that can not 
be easily imitated by case-splitting. We refer the reader to lE^ where an elaborated 
discussion of this distinction is given. Based on this observation, our suggested proce- 
dure is expected to be more efficient than case-splitting methods in deciding formulas 
where the case- splitting itself is the bottleneck of the procedure, i.e., formulas that their 
equivalent DNF has many clauses, but each one of them is relatively small. 

An efficient reduction of DLA to propositional logic not only enables to (poten- 
tially) solve them faster, but also to integrate them with other theories on the propo- 
sitional logic level. Many other decidable theories that are frequently encountered in 
verification (e.g. bit- vector arithmetic [12|) already have such reductions to proposi- 
tional logic. Solving mixed theories by reducing them to a common logic facilitates 
the application of various learning techniques between sub-expressions that originate 
from different theories. Furthermore, current popular techniques for integrating theo- 
ries such as Nelson-Oppen [ 16| invoke different procedures for deciding each theory, 
and propagate equalities between them in order to decide the combined theory. The 
overhead of this mutual updating can become significant. This overhead is avoided if 
only one procedure (SAT in this case) is used. 

The rest of the article is structured as follows. In the next section we briefly describe 
the FM method. In section|3]we present a propositional version of the same procedure 
and explain how it can be used to reduce DLA to SAT. In section |4l we present a 
method called 'conjunctions matrices', which is useful for reducing the complexity of 
the procedure described in section |3] In section |5] we summarize our experiments with 
this method on both real examples and random instances. 

2 Fourier-Motzkin Elimination 

A linear inequality predicate over n variables has the form 17"^^ ■ Xj < b. A con- 
junction of m such constraints is conveniently described by C : AI < b where A is 
an m X n real-valued coefficient matrix, / = xi...a;n is a vector of n variables, and b 
is a vector of real- valued bounds. Given a variable order xi...Xn the FM method elimi- 
nates (existentially quantifies) them in decreasing order. Each variable is eliminated by 



projecting its constraints on the rest of the system. The procedure works as follows: at 
each elimination step, the list of constraints is partitioned to three segments, according 
to the sign of the coefficient of Xn in each constraint. Let aj^„ denote the coefficient of 
Xn in constraint i, for i e [l..m]. 
The three segments are: 

1. For all i s.t. ai,„ > 0: ai,„ ■ Xn < hi - SjliQij ■ Xj 

2. For all i s.t. ai,„ < 0: ^jZiCiij ■ xj -h < -ai^n ■ Xn 

3. For all i s.t. ai_„ = 0: E'^~laij ■ Xj < hi 

The first and second segments correspond to upper and lower bounds on respec- 
tively. To eliminate Xn, FM replaces each pair of lower and upper bound constraints 
L < ci ■ Xn and c,, • ,t„ < U, where c^, c„ > 0, with the new constraint Cu ■ L < q ■ U. 
If, in the process of elimination, the procedure derives the constraint c < where c is 
a constant greater than 0, it terminates and indicates that the system is unsatisfiable. 

Note that it is possible that variables are not bounded from both ends. In this case it 
is possible to simplify the system by removing these variables from the system together 
with all the constraints to which they belong. This can make other variables unbounded. 
Thus, this simplification stage iterates until no such variables are left. 

The FM method can result in the worst case in m^" constraints, which is the rea- 
son that it is only suitable for a relatively small set of constraints with small number 
of variables. There are various heuristics for choosing the elimination order. A stan- 
dard greedy criteria gives priority to variables that their elimination produces less new 
constraints. 

Example 1. Consider the following formula: 

if — Xi — X2 <Q A Xi — x^ <Q A —Xi + 2^3 + a;2 < A —x^ < —1 

The following table demonstrates the elimination steps following the variable order 

xi,X2,Xi: 



Eliminated 


Lower 


Upper 


New 


var 


bound 


bound 


constraint 


Xl 


Xl — X2 < 


—Xl + 2X3 + X2 < 


2.T3 < 




Xl — Xs < 


—Xl + 2X3 + X2 < 


X2 + X3 <Q 


X2 


no lower bound 


Xs 


2x3 < 


-X3 < -1 


2 < 



The last line results in a contradiction, which implies that this system is unsatisfiable. 

□ 



The extension of FM to handle a combination of strict (<) and weak (<) inequalities is 
simple. If either the lower or upper bound are a strict inequality, then so is the resulting 
constraint. 

In the next section we present a Boolean version of the FM method. 
3 A Boolean version of Fourier-Motzkin 

Given a DLA formula 9?, we now show how to derive a propositional formula ip' s.t. 

is satisfiable iff is satisfiable. The procedure for generating ^p' emulates the FM 
method. 

1. Normalize (/?: 

(a) Rewrite equalities as conjunction of inequalities. 

(b) Transform to Negation Normal Form (negations are allowed only over atomic 
constraints). 

(c) Eliminate negations by reversing inequality signs. 

2. Encode each inequality i with a Boolean variable e^. Let '-p' denote the encoded 
formula. 

3. (a) Perform FM elimination on the set of all constraints in ip), while assigning new 

Boolean variables to the newly generated constraints. 

(b) At each elimination step, for every pair of constraints Cj, that result in the 
new constraint e^, add the constraint Cj A to Lp' . 

(c) If Cfc represents a contradiction (e.g., 1 < 0), replace by FALSE. 

We refer to this procedure from here on as Boolean Fourier Motzkin (BFM). 
Example 2. Consider the following formula: 

= 2xi - X2 < A (2x2 - 4x3 < V X3 - Xi < -1) 

By Assigning an increasing index to the predicates from left to right we initially get 

= ei A (62 V 63). 

Let xi, X2, X3 be the elimination order. The following table illustrates the process 
of updating Lp': 



Elimina- 
ted var 


Lower 
bound 


Upper 
bound 


New 
constraint 


Enco- 
ding 


Add to ip' 


Xi 
X2 


X3 — Xi < — 1 
2x3 - X2 < -2 


2xi - X2 < 

2X2 - 4X3 < 


2x3 - X2 < -2 
4 < 


64 

FALSE 


63 A Ci ^ 64 
64 A 62 ^ FALSE 



Thus, the resulting satisfiable formula is: 



V?' = (ei A (e2 V 63)) A (ci A 63 ^ 64) A (64 A 62 FALSE) 

n 

Example|2ldemonstrates the main drawback of this method. Since in step|2lwe con- 
sider all inequalities, regardless of the Boolean connectives between them, the number 
of constraints that the FM procedure adds is potentially larger than those that we would 
add if we considered each case separately (where a 'case' corresponds to a conjoined 
list of inequalities). In the above example, case splitting would result in two cases, none 
of which results in added constraints. Since the complexity of FM is the bottleneck of 
this procedure, this drawback may significantly worsen the overall run time and risk 
its usability. 

As a remedy, we will suggest in section HI a polynomial method that bounds the 
number of constraints to the same number that would otherwise be added by solving 
the various cases separately. 

Complexity of deciding c^'. The encoded formula ^p' has a unique structure that makes 
it easier to solve comparing to a general propositional formula of similar size. Let m 
be the set of encoded predicates of and n be the number of variables. 

Proposition 1. can he decided in time hounded hy 0(21™' ■ |mp"). 

Proof. SAT is worst case exponential in the number of decided variables and linear in 
the number of clauses. The Boolean value assigned to the predicates in m imply the 
values of all the generated predicates^. Thus, we can restrict the SAT solver to split 
only on m. Hence, in the worst case the SAT procedure is exponential in m and linear 
in the number of clauses, which in the worst case is |mp" . □ 

4 Conjunctions matrices 

Case splitting can be thought of as a two step procedure, where in the first step the 
formula is transformed to DNF, and in the second each clause, which now includes a 
conjunction of constraints, is solved separately. In this section we show how to predict, 
in polynomial time, whether a given pair of predicates would share a clause if the 
formula was transformed to DNF. It is clear that there is no need to generate a new 
constraint from two predicates that do not share a clause. 

^ Note that the constraints added in step|3|are Horn clauses. This means that for a given assignment to the predi- 
cates in m, these constraints are solvable in linear time. 



4.1 Joining operands 



We assume that ip is normalized, as explained in step [H Let ip'^ denote the encoded 
formula after step |3 and p'^ denote the added constraints of step |3] (thus, after step |3] 
p' = p'j f\ p'^. All the internal nodes of the parse tree of p>'j correspond to either 
disjunctions or conjunctions. Consider the lowest common parent of two leaves Cj, Cj 
in the parse tree. We call the Boolean operand represented by this node the joining 
operand of these two leaves and denote it by J(ei, Cj). 

Example 3. In the formula p'j = ei A (e2 V 63), J(ei, 62) = 'A' and J(e2, 63) = 'V. 

□ 

For simplicity, we first assume that no predicates appear in p more than once. In section 
14.21 we solve the more general case. Denote by p^ the DNF representation of p. The 
following proposition is the basis for the prediction technique: 

Proposition 2. Two predicates Cj, e_,- share a clause in p^ iffj{ei, cj) = 'A'. 

Proof. Recall that p'j: does not contain negations and no predicate appears more than 
once. (^) Let node denote the node joining and ej, and assume it represent a dis- 
junction ( J(ej, Cj) ='V'). Transform the right and left branches descending from node 
to DNF. A disjunction of two DNF formulas is a DNF, and therefore the formula under 
node is now a DNF expression. If node is the root or if there are only disjunctions on 
the path from node to the root, we are done. Otherwise, the distribution of conjunction 
only adds elements to each of the clauses under node but does not join them into a 
single clause. Thus, Cj and ej do not share a clause if their joining operand is a disjunc- 
tion. Again let node denote the node joining and e^, and assume it represents 
a conjunction (J(ej, ej) ='A'). Transform the right and left branches descending from 
node to DNF. Transforming a conjunction of two DNF sub formulas back to DNF is 
done by forming a clause for each sequence of literals from the different clauses. Thus, 
at least one clause contains A ej. Since there are no negations in the formula, the 
literals in this clause remain together in p^ regardless of the Boolean operands above 
node. □ 

For a given pair of predicates, it is a linear operation (in the height of the parse tree h) 
to check whether their joining operand is a conjunction or disjunction. If there are m 
predicates in p, constructing the initial m x m conjunctions matrix of p has the 
complexity of 0{ni?h). is a binary, symmetric matrix, where M^[ej, ej] = 1 if and 



only if J{ei, Cj) ='A'. For example, M^p corresponding to ip'j of example|3lis given by 



/ 


ei 62 63 \ 


ei 


1 1 




1 




10 0/ 



Given proposition |21 this means that these predicates share at least one clause in ip^ . 
New entries are added to M^p when new constraints are generated, and other entries, 
corresponding to constraints with non-zero coefficients over eliminated variables, are 
removed. The entry for a new predicate that was formed from the predicates Cj, Cj 
is updated as follows: 

V/ G [1..A; - 1]. M^[ek,ei] = M^[e„Q] A M^[e,-,ez] 

This reflects the fact that the new predicate is relevant only to predicates that share a 
clause with both Cj and Cj. 

4.2 Handling repeating predicates 

Practically most formulas contain predicates that appear more than once, in different 
parts of the formula. We denote hy e^, k > 1 the k instance of the predicate Cj in 
(f'. It is possible that the same pair of predicates has different joining operands, e.g. 
J{e}, e]) ='A' but J{e}, e|) ='V'. There are two possible solutions to this problem: 

1 . Represent each predicate instance as a separate predicate. 

2. Assign M^[ej, ej] = 1 if there exists an instance of Cj and of ej s.t. J(ej, ej) = 'A'. 

The first option leads to a higher complexity of constructing the initial conjunctions 
matrix, because it is determined by the number of predicate instances rather than the 
number of unique predicates. More specifically, if m' denotes the number of predicate 
instances, then the complexity of constructing the initial matrix is 0{m''^h). 
The second option has a more concise representation, but may result in redundant 
constraints, as the example below demonstrates. 

Example 4. Let Lp'^ = Ci A (e2 V 63) V (e2 A 63) . According to option 2, ip' contains only 
three predicates ei . . . 63 and therefore is a 3 x 3 matrix with an entry ' 1 ' in all its 
cells. Thus, does not contain the information that the three predicates never appear 
together in the same clause, which potentially results in redundant constraints. □ 

Conjunctions matrices can be used to speed up many of the other decision procedures 
that were published in the last few years for subset of linear arithmetic [ 11I6I4I5I18«22J . 
We refer the reader to a technical report [.21 J for a detailed description of how this can 
be done. 



4.3 A revised decision procedure and its complexity 

Given the initial conjunctions matrix M^, we now change step|3las follows: 

13 (a) Perform FM elimination on the set of all constraints in while assigning new 
Boolean variables to the newly generated constraints, 
(b) At each elimination step consider the pair of constraints Cj , Cj only if M^p [cj , ] = 
1. In this case let be the new predicate. 

i. Add the constraint Cj A Cj — > to Lp' . 

ii. If Cfc represents a contradiction (e.g., 1 < 0), replace by FALSE. 

iii. Otherwise update as follows: 

V/ G [l..k - 1]. M^[efc, ei] = M^la, ei] A M^[e,-, ei]. 

The main difference between this procedure and the previous one is that now step 
|3tb) is restricted to pairs of predicates that are conjoined in the DNF of the formula. 

Given the revised procedure, we now compare the number of constraints that it 
generates comparing to the case-splitting methods, and the combined SAT/FM method 
181112311 that was described in the introduction. Let bfm, split and comb be the number 
of constraints that are generated by these three techniques, respectively. 

Claim 1 For unsatisfiable formulas, BFM generates less or equal number of con- 
straints to the accumulated number of constraints that are generated by case splitting 
(bfm < split). 

This claim can be easily justified with the observation that due to conjunctions matri- 
ces, no constraint is generated in BFM that is not a resolvent of two constraint in a DNF 
clause. This means that the same resolvent is generated by case-splitting methods. In 
satisfiable instances, the number of constraints generated by case splitting depends on 
the location of the first satisfiable clause. While case splitting terminates after finding 
the first such clause, bfm generates all constraints. 

Claim 2 In most cases in which the formula is unsatisfiable, bfm <^ split. 

The reason for the big difference between the two procedures is that constraints that 
are repeated in many separate cases resolve in a single new constraint in BFM. For 
example, naive case splitting over the formula = ci A 62 A (63 V 64) generates the 
resolvent of ei and 62 twice, while BFM only generate it once^. As states above, the 

^ Smarter implementation of case splitting can identify, in this simple example, that the resolvent has to be gener- 
ated once. But in the general case redundant constraints can be generated. 



comparison of the two methods is harder in the case of satisfiable formulas, since the 
number of constraints generated by case splitting procedures depends on the location 
of the first satisfiable clause. 

The value of comb is harder to compare to bfm and split, because in practice it 
strongly depends on the success of the heuristics in the SAT procedure to prune the 
search space. By guiding the search, the SAT solver may eventually call the arithmetic 
procedure for only a small subset of the possible combinations of predicates. In the 
worst case, however, comb can be larger than split, because it may generate resolvents 
of constraints that belong to different DNF clauses (adding conjunctions matrices to 
this method can solve this problem. Such an optimization was not described, though, 
in the literature Ii8ilt23in . 

Conjunctions matrices is not the only reason for the potentially larger number of 
constraints that are generated by the SAT/FM combined procedure. Unlike BFM, this 
algorithm may generate the same constraint more than once. Such repeated resolution 
can occur, for example, if a pair of consistent predicates appear in many satisfying 
assignments. When each of these assignments is checked for consistency, the resolvent 
of this pair is potentially regenerated. Although saving this information in a hash table 
may save some of this repeated work, it may introduce a new source of complexity 
because of the possibly exponential number of resolvents. 

A third source for a large number of redundant constraints in the combined proce- 
dure, which does not occur in BFM, is the following. Given a set of predicates pi . . . Pn, 
assume that only pi and p2 are contradictory. Once the conflict in the set pi . . . p„ is 
identified, a conflict clause of size n is added, which prevents a repetition of this as- 
signments. This clause does not, however, prune the other 2"^^ — 1 contradictory as- 
signments to this set. There are several solutions to this problem, all of which are either 
computationally expensive or not optimal. C vc tries to overcome this problem by iden- 
tifying a small (yet not necessarily minimal) subset of these literals that actually cause 
the conflict. In our example, ideally it identifies that pi and p2 alone cause the conflict. 
Consequently it adds a conflict clause of size two, pruning away the redundant assign- 
ments as well as the corresponding resolvents and conflict clauses. The ICS-SAT tool 
ll8l copes with this problem by following a trial- and-error approach, in which in each 
step it tries to remove a predicate and see whether the conflict still occurs. If the answer 
is affirmative - it removes the reference to this predicate from the conflict clause. The 
success of this approach naturally depends on the order in which the predicates are 
removed, and in general does not detect a minimal subset. 



5 Experiments 



To test the efficiency of BFM, we implemented a tool called BFM on top of PORTA 
lUPl. We then randomly generated formulas in 2-CNF style (that is, a 2-CNF where 
the literals are linear inequalities) with different number of clauses and variables. The 
coefficients were chosen randomly in the range —10.. 10. The time it takes to generate 
the SAT instance with BFM is summarized in Fig. [T] The time it takes Chaff ifT?]! 
to solve each of the instances that we are able to generate is relatively negligible. 
Normally it is less than a second, with the exception of 3 instances that take 10-20 
seconds each to solve. All experiments were run on a 1.5 GHz AMD Athlon machine 
with 1.5 G memory, on top of Linux. 
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Fig. 1. Time, in seconds, required for generating a SAT instance for random 2-CNF 
style linear inequalities with a varying number of clauses and variables. '*' indicates 
running time exceeding 2 hours. 



We also ran these instances with ICS and CVC. ICS solves these type of formulas 
with FM combined with case-splitting, while CVC implements a combined SAT/FM 
procedure, as described in the introduction. Both tools can solve only one of these 
instances (the 10 x 10 instance) in the specified time bound. They either run out of 
memory or out of time in all other cases. This is not very surprising, because in the 
worst case 2^ separate cases need to be solved, where c is the number of clauses. 

The CNF style formulas are harder not only for ICS and CVC, but also for BFM 
because they make conjunctions matrices ineffective. Each predicate in ip appears with 
all other predicates in some clause of ip^, except those predicates it shares a clause 
with in (p. Thus, almost all the entries of are equal to '1'. In general, conjunctions 
matrices only prevent bfm from adding redundant constraints, and in CNF formulas 
only little redundancy is created in the first place. Li order to check the effectiveness 



of these matrices and experiment with a larger set of formulas, we ran another batch 
of examples, where this time the Boolean connectives (conjunction or disjunction) be- 
tween the linear constraints is chosen randomly. That is, a formula with n variables 
and m clauses has the form >0(i...m(p(?^) XX p{n)) where XX denotes either a conjunction 
or a disjunction, and p{n) is a linear predicate with n variables and randomly chosen 
coefficients. For each cell in the table of figure |2l we generated six random instances 
(a total of 384 random formulas). The numbers in the table represent the average time 
it takes to generate the SAT instance with BFM without conjunctions matrices. For 
comparison, the time it takes to generate the corresponding SAT instances with con- 
junctions matrices is almost negligible (a few seconds to generate the entire set). The 
reason for this performance can be attributed to the random construction which ap- 
parently results in very few concurrent constraints. As before, solving the generated 
SAT formulas does not consume a significant amount of time. We also ran CVC on this 
batch of examples. CVC can solve 18 formula out of the 384 rather rapidly (the longest 
took about three minutes), but exceeds the time bound or, more frequently, runs out of 
memory in all other cases. 

There are several interesting things to note about the results in figure El First, the 
results tend to be worse when the ratio between the number of clauses to number of 
variables is high. This is not surprising because FM is sensitive to the product of upper 
and lower bounds on each variable. The higher the ratio is, the larger this product is 
on average. Second, although not listed here, there seems to be a very large variance 
between the different samples, in particular when the formulas are large. For exam- 
ple, the standard deviation of the results in each of the cells in the right-most column 
is around 400. The reason for these extreme differences is not the different Boolean 
structures (to which BFM is insensitive if conjunctions matrices is inactive), rather it is 
the different number of lower and upper bounds on each variable, which is determined 
by the randomly selected sign of the coefficients. 

Next, we ran BFM, ICS and CVC on several real examples. The results, which are 
not as conclusive as with the random instances (many of them can be solved easily 
by all three tools), are summarized in figure |3] As in the random instances, here too 
there seems to be an extreme variation in the performance of the tools with respect 
to the different formulas, which can probably be attributed to the FM method. If the 
number of constraints starts to grow exponentially, it is typically impossible to solve 
the instance in a short time. The examples shown in the table are the following. The 
first batch includes seven formulas resulting from symbolic simulation of hardware 
designs. The second batch includes four formulas resulting from scheduling problems. 
The third batch of examples contains three standard timed-automata verification prob- 
lems, namely the verification of a railroad crossing controller. The first three sets of 
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Fig. 2. Average time, in seconds, required for generating a SAT instance for a formula 
with random Boolean structure, without conjunctions matrices. With conjunctions ma- 
trices the time is almost negligible. 
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Fig. 3. Results achieved by the three tested solvers on several realistic examples from 
different origins. indicates running time exceeding 2 hours. 



examples consist of a Boolean combination of separation predicates rather than full 
linear arithmetic, i.e. predicates of the form x < y + c, where c is a constant. This 
is obviously a special case of linear arithmetic. We also examined two standard ICS 
benchmarks, 'linsys-035' and 'linsys-100', which consist of 35 and 100 variables and 
linear inequalities, respectively. The results corresponding to these examples appear as 
the last batch in the table. Note that while ICS solves these instances in a few seconds, 
both BFM and CVC cannot solve them in the specified time limit. The reason for this 
seemingly inconsistency is that the ICS benchmark formulas consist of a conjunction 
of linear equalities, and therefore no case splitting is required. The better performance 
of ICS can be attributed to the higher quality of implementation of FM comparing to 
that of PORTA, on top of which BFM is built, and CVC. 

Our conclusion from the experiments is that the advantage of BFM, as stated in 
the introduction, is in solving formulas that have a large number of disjunctions and 
hence are hard for any method that is based on solving the various cases separately. The 
results in figures[l]and|2lprove this observation. The results shown in figure|3l however, 
are not conclusive. BFM has recently been integrated in the theorem prover C-prover 
|IT4|, which means that in the long run additional data concerning the performance of 
this technique when solving real verification problems will be gathered. 

Finally, as direction for future research, we note that since both DLA and SAT 
are NP-complete, there is no complexity argument to rule out the option of finding a 
polynomial reduction of DLA to SAT. Finding such a reduction will enable to solve 
larger formulas than can be solved by bfm. 
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